Scalable Protocols for
Authenticated Group Key Exchange∗
Jonathan Katz†
Moti Yung‡
Abstract
We consider the problem of authenticated group key exchange among n parties
communicating over an insecure public network. A number of solutions to this problem
have been proposed; however, all prior provably-secure solutions do not scale well and,
in particular, require O(n) rounds. Our main contribution is the first scalable protocol
for this problem along with a rigorous proof of security in the standard model under the
DDH assumption; our protocol uses a constant number of rounds and requires only O(1)
“full” modular exponentiations per user. Toward this goal (and adapting work of Bellare, Canetti, and Krawczyk), we first present an efficient compiler that transforms any
group key-exchange protocol secure against a passive eavesdropper to an authenticated
protocol which is secure against an active adversary who controls all communication in
the network. This compiler adds only one round and O(1) communication (per user) to
the original scheme. We then prove secure — against a passive adversary — a variant
of the two-round group key-exchange protocol of Burmester and Desmedt. Applying
our compiler to this protocol results in a provably-secure three-round protocol for authenticated group key exchange which also achieves forward secrecy.
1
Introduction
Protocols for authenticated key exchange (AKE) allow parties communicating over an insecure public network to establish a common secret key (a session key) and furthermore
to be guaranteed that they are indeed sharing this key with each other (i.e., with their intended partners). Protocols for securely achieving AKE are fundamental to much of modern
cryptography and network security. For one, they are crucial for allowing symmetric-key
cryptography to be used for encryption/authentication of data among parties who have no
alternate “out-of-band” mechanism for agreeing upon a common key. They are also instrumental for constructing “secure channels” on top of which higher-level protocols can be
designed, analyzed, and implemented in a modular manner. Thus, a detailed understanding
of AKE — especially the design of provably-secure protocols for achieving it — is critical.
The case of 2-party AKE has been extensively investigated (see, e.g., [25, 12, 26, 10,
35, 6, 38, 22, 23, 24]) and is fairly well-understood; furthermore, a variety of efficient and
∗
A preliminary version of this work appeared as [32].
[email protected]. Department of Computer Science, University of Maryland, College Park, MD.
‡
[email protected]. RSA Laboratories and Department of Computer Science, Columbia University,
New York, NY.
†
1
provably-secure protocols for 2-party AKE are known. Less attention has been given to
the case of group AKE where a session key is to be established among n > 2 parties;
we survey relevant previous work in the sections that follow. Group AKE protocols are
essential for applications such as secure video- or tele-conferencing, and also for collaborative
(peer-to-peer) applications which are likely to involve a large number of users. The recent
foundational papers of Bresson, et al. [17, 15, 16] (building on [10, 11, 8]) were the first to
present a formal model of security for group AKE and the first to give rigorous proofs of
security for particular protocols. These represent an important initial step, yet much work
remains to be done to improve the efficiency and scalability of existing solutions.
1.1
Our Contributions in Relation to Prior Work
The efficiency of a group AKE protocol should scale well with the number of users so as
to remain practical even when the number of users is large. (In Section 1.3 we discuss
in detail the complexity measures we use to evaluate the efficiency of protocols in this
setting.) Unfortunately, prior work is somewhat limited in this respect; we may summarize
the “state-of-the-art” for provably-secure group AKE protocols as follows (we exclude here
centralized protocols in which a designated group manager generates and distributes keys;
such schemes place a high burden on one participant who is a single point of failure and
who must also be trusted to generate keys properly):
• The most efficient solutions are those of Bresson, et al. [17, 15, 16] which adapt
previous work of Steiner, et al. [40]. Unfortunately, these protocols do not scale well:
to establish a key among n participants, they require n rounds and additionally require
(for some players) O(n) “full” modular exponentiations and O(n) communication.
• Subsequent to the present work, a constant-round protocol for group AKE has been
proven secure in the random oracle model 1 [14]. This protocol does not achieve forward secrecy (cf. [26]), and the exposure of a user’s long-term secret key exposes all
session keys previously-generated by this user. The protocol is also not symmetric,
and the initiator must perform O(n) encryptions and send O(n) communication.
The above solutions represent the best-known provably-secure protocols even under various
relaxations of the problem. For example, we are aware of no previous constant-round
protocol with a full proof of security in the standard (i.e., non-random oracle) model even
for the weaker case of security against a passive eavesdropper (but see footnote 2). Clearly,
an O(n)-round protocol is not scalable and is unacceptable when the number of parties
grows large or when network latency is the performance bottleneck.
Our main result is the first constant-round and fully-scalable protocol for group AKE
which is provably secure in the standard model (i.e., without assuming the existence of
“random oracles”). Security is proved via reduction to the decisional Diffie-Hellman (DDH)
assumption using the same security model as other recent work in this area [17, 15, 16, 14].
1
The random oracle model [9] assumes a public random function to which all parties (including the
adversary) have access. This random function is instantiated using a cryptographic hash function (e.g.,
SHA-1), appropriately modified to have the desired domain and range. Although proofs of security in this
model provide heuristic evidence for the security of a given protocol, there exist schemes which are secure
in the random oracle model but are insecure for any instantiation of the random oracle [21].
2
Our protocol also achieves forward secrecy [26] in the sense that exposure of principals’
long-term secret keys does not compromise the secrecy of previous session keys. (We of
course also require that exposure of multiple session keys does not compromise the secrecy
of unexposed session keys; see the formal model in Section 2.) Our 3-round protocol remains
practical even for large groups: it requires each user to send only O(1) communication and
to compute only 3 “full” modular exponentiations and O(n log n) modular multiplications,
generate 2 signatures, and perform O(n) signature verifications (the cost of which can be
improved by using signatures that allow for “batch verification” [7]).
The difficulty of analyzing protocols for group AKE has led to a number of ad hoc
approaches to this problem and has seemingly hindered the development of practical and
provably-secure solutions (as evidenced by the many published protocols later found to
be flawed; cf. the attacks given in [37, 14]). To manage this complexity, we propose and
analyze a scalable compiler for this setting which enables a modular approach and therefore
greatly simplifies the design and analysis of group AKE protocols. Our compiler transforms
any group key-exchange protocol which is secure against a passive eavesdropper to one
which is secure against a stronger — and more realistic — active adversary who controls
all communication in the network. If the original protocol achieves forward secrecy, the
compiled protocol does too. Our compiler is inspired by earlier work of Bellare, Canetti,
and Krawczyk [6], who show a compiler with similar functionality. Although their compiler
does indeed apply to multi-party protocols, their primary motivation was the two-party
setting. The compiler we show here is specifically tailored for the group setting, and it
scales better than the compiler of [6]. Further discussion appears in Section 1.2.
As an immediate illustration of the advantages of a modular approach, note that our
compiler may be applied to the group key-exchange protocol of Steiner, et al. [40] to yield
a group AKE protocol with comparable efficiency to that of [17] but with a much simpler
security proof which holds even for groups of polynomial size.
As an additional contribution, we investigate the security of the well-known BurmesterDesmedt protocol [19, 20] for unauthenticated group key exchange. 2 Adapting their work,
we present a 2-round group key-exchange protocol and rigorously prove its security —
against a passive adversary — under the DDH assumption. Applying our above-mentioned
compiler to this protocol gives our main result.
1.2
Survey of Previous Work
Group key exchange. A number of works have considered extending the 2-party DiffieHellman protocol [25] to the multi-party setting [28, 39, 19, 40, 4, 33, 34]. Best-known among
these are perhaps the works of Ingemarsson, et al. [28], Burmester and Desmedt [19], and
Steiner, et al. [40]. Ingemarsson, et al. and Steiner, et al. assume only a passive (eavesdropping) adversary; furthermore, no proofs of security appear are given by the Ingemarsson, et
al. (and we are not aware of any subsequent proof of security for their protocol). Security
of the Burmester-Desmedt protocol is discussed in footnote 2 and Section 4.
2
Since no security proof appears in the proceedings version [19], the Burmester-Desmedt protocol has
often been considered “heuristic” and not provably-secure (see, e.g., [17, 14]). Subsequent to our work we
became aware of a security proof for a variant of their protocol against a passive adversary [18] (see also [20]).
Section 4 contains further discussion.
3
Bresson, et al. [17]
Boyd-Nieto [14]
Here
Standard model?
Yes
No
Yes
Forward Secrecy?
Yes
No
Yes
Polynomial group size?
No
Yes
Yes
Table 1: High-level comparison of provably-secure protocols for group AKE. Efficiency
comparisons are given in Table 2.
Key-exchange (KE) protocols are intended to be secure against a passive adversary only.
Authenticated key-exchange (AKE) protocols are designed to be secure against the stronger
class of adversaries who —in addition to eavesdropping — control all communication in
the network (cf. Section 2). A number of protocols for authenticated group key exchange
have been suggested [29, 13, 2, 3, 41]; unfortunately, none of these works present rigorous
security proofs in a well-defined model (indeed, attacks on some of these protocols have
been shown [37]). Tzeng and Tzeng [42] prove security of a group AKE protocol using a
non-standard adversarial model and assuming a reliable broadcast channel (an assumption
we do not make here). Their protocol does not achieve forward secrecy, and an explicit
attack on their protocol has been identified [14].
Provably-secure protocols. Bresson, et al. [17, 15, 16], building on earlier work of Bellare
and Rogaway in the two-party setting [10, 11, 8], give the first formal model of security for
group AKE and the first provably-secure protocols for this setting. (A stronger model of
security for group AKE, based on work of Canetti and Krawczyk [23], has been proposed
more recently [31].) The protocols of Bresson, et al. are all based on work of Steiner, et
al. [40], and require O(n) rounds to establish a key among n users. The initial work [17]
deals with the case where the subset of participants sharing a key does not undergo frequent
changes, and shows a protocol that achieves forward secrecy under the computational DiffieHellman assumption in the random oracle model (as noted there, however, the protocol can
also be proven secure in the standard model using the DDH assumption). Unfortunately,
the proof of security applies only for groups of constant size (cf. [17, Theorem 1]).
Later work [15, 16] focuses on the dynamic case where users join or leave the group
and the session key must be updated whenever this occurs. Although we do not explicitly
address this issue, note that dynamic group membership can always be handled by running
the group AKE protocol from scratch among members of the new group. For the case
when individual members join and leave, the complexity of the protocol given here is only
slightly worse than the Join and Remove algorithms of [15, 16]. The protocol given here
seemingly performs even better relative to [15, 16] when merging two large groups, or
when partitioning a group into two groups of roughly equal size (see [1] for performance
comparisons). Adapting the protocol presented here to handle dynamic membership even
more efficiently, however, remains an interesting topic for future research.
More recently (in work subsequent to ours), a constant-round group AKE protocol with
a security proof in the random oracle model has been shown [14]. We have already discussed
in the previous section the various drawbacks of this protocol.
We summarize previous provably-secure protocols, and compare them with the present
work, in Table 1. We compare the efficiency of these protocols (with respect to various
4
complexity measures) in Table 2, below.
Compilers for key-exchange protocols. A modular approach such as that used here
has been used previously in the design and analysis of key-exchange protocols. For example, Mayer and Yung [36] give a compiler which converts any two-party protocol into a
centralized (asymmetric) group protocol; their compiler invokes the original protocol O(n)
times, however, and is therefore not scalable. In work with similar motivation as our own,
Bellare, Canetti, and Krawczyk [6] also show a compiler (the “BCK compiler”) which converts unauthenticated protocols into authenticated protocols. (We remark, however, that
their model is slightly different from ours — and thus their compiler does not directly apply
to our setting — in that they assume parties agree a priori on unique, matching session
ids.) At a high level, applying the BCK compiler to an n-party protocol can be viewed
as providing O(n2 ) authenticated channels between each pair of parties. In contrast, our
compiler may be viewed as providing a single authenticated “broadcast” channel to these
n parties (although, as discussed below, we do not assume that broadcast is available as a
primitive in our network). The compiler we show here is also more computationally efficient
than O(n2 ) invocations of the BCK compiler.
Burmester and Desmedt [18] suggest a method (specific to their protocol) to achieve
security against an active adversary. Their method requires zero-knowledge (ZK) proofs
of knowledge, and it seems that (minimally) these ZK proofs need to be non-malleable
and secure under concurrent executions in order for their protocol to be provably-secure
in the model considered here. The authenticated group key-exchange protocol given here
is computationally more efficient and has better round complexity than what could be
achieved using their approach.
One can also view the work of Bresson, et al. [17] as providing a “compiler” specific
for the protocol of Steiner, et al. [40]. Even for this application, their compiler results
in an exponential degradation of the concrete security reduction; thus, their proof only
applies to groups of constant size (cf. [17, Theorem 1]). In contrast, our proofs apply to
polynomial-size groups.
1.3
Complexity Measures for Group AKE Protocols
We measure the efficiency of group AKE protocols in a number of standard ways which we
now describe for completeness. This is followed by a comparison of the efficiency of our
main protocol with that obtained in previous work.
Round complexity. The round complexity of a protocol is simply the number of rounds
until the protocol terminates. Note, however, that this must be more carefully defined in the
presence of an active adversary who controls the scheduling of all messages in the network
(indeed, the very notion of a “round” is not well-defined in this model, and an adversary
can make the time complexity arbitrarily large by refusing to deliver any messages). We
measure the round complexity assuming the “best-case” scenario: an adversary who delivers
all messages intact to the appropriate recipient(s) as soon as they are sent. Messages which
can be sent by parties simultaneously are considered to occur in the same round.
Message complexity. We measure the message complexity in terms of the maximum
number of messages sent by any single user ; this seems more useful in determining scala5
Rounds
Bresson, et al. [17]
Boyd-Nieto [14]
Here
O(n)
1
3
Messages (per user)
Point-to-point Broadcast
2
2
O(n)
1
O(n)
3
Communication (per user)
Point-to-point Broadcast
O(n)
O(n)
2
O(n )
O(n)
O(n)
O(1)
Table 2: Complexity of provably-secure protocols for group AKE in terms of the number of
parties n. See text for explanation of what “point-to-point” and “broadcast” refer to.
bility of a protocol. We consider the message complexity in both the point-to-point and
“broadcast” models. In the point-to-point model each message sent to a different party
is counted separately, while in the “broadcast” model we assume that sending the same
message to multiple parties incurs the same cost as sending that message to a single party;
equivalently, we assume a “broadcast channel” and measure the number of messages a player
sends to that channel. We stress, however, that the abstraction of a broadcast channel is
used only for measuring the complexity, and we do not assume that a true broadcast channel
is available when proving security of our protocols. In particular, an active adversary still
has complete control over all communication in the network (and can deliver different messages to different parties), and if a player U is corrupted then that player can send different
messages to different parties. Further discussion appears at the beginning of Section 3.1.
Communication complexity. As in the case of message complexity, we measure communication complexity in terms of the maximum number of bits communicated by any single
party, and consider both point-to-point and “broadcast” models.
With the above in mind, we compare in Table 2 the complexity of our main protocol
to that of previous work [17, 14] (recall that our main protocol is obtained by applying
the compiler of Section 3 to the group KE protocol of Section 4). As for computational
costs, the protocol of [17] requires some players to compute O(n) “full” modular exponentiations (in addition to O(1) signatures and O(1) signature verifications); the protocol of [14]
requires the initiator of the protocol to perform O(n) public-key encryptions and one signature computation; and our protocol requires each player to compute O(n log n) modular
multiplications and to verify O(n) signatures (in addition to O(1) signature computations
and 3 “full” modular exponentiations). As we have already noted, the cost of signature
verification in our protocol can be improved using techniques for batch verification [7].
1.4
Outline
In Section 2, we review the security model of Bresson, et al. [17]. We present our compiler in
Section 3 and a two-round protocol secure against passive adversaries in Section 4. Applying
our compiler to this protocol gives our main result: an efficient, fully-scalable, and constantround group AKE protocol.
6
2
The Model and Preliminaries
For strings x1 , . . . , xn , we let y = x1 | · · · |xn be a string which unambiguously encodes
x1 , . . . , xn so that, in particular, it is possible to correctly recover the {x i } from y. As this
can be achieved using standard techniques, we do not dwell on it further.
Our security model is the one of Bresson, et al. [17] which builds on prior work from the
2-party setting [10, 11, 8] and which has been widely used to analyze group key-exchange
protocols (cf. [15, 16, 14]). We explicitly define notions of security for both passive and
active adversaries; this will be necessary for stating and proving meaningful results about
our compiler in Section 3.
Participants and initialization. We assume for simplicity a fixed, polynomial-size set
P = {U1 , . . . , U` } of potential participants. Any subset of P may decide at any point to
establish a session key, and we do not assume that these subsets are always the same size
or always include the same participants. Before the protocol is run for the first time, an
initialization phase occurs during which each participant U ∈ P runs an algorithm G(1 k )
to generate public/private keys (P K U , SKU ). Each player U stores SKU , and the vector
hP Ki i1≤i≤|P| is known by all participants (and is also known by the adversary).
Adversarial model. In the real world, a protocol determines how principals behave in
response to signals from their environment. In our model, these signals are sent by the
adversary. Each principal can execute the protocol multiple times with different partners;
this is modeled by allowing each principal an unlimited number of instances with which
to execute the protocol. We denote instance i of user U as Π iU . A given instance may be
used only once. Each instance ΠiU has associated with it the variables state iU , termiU , acciU ,
usediU , pidiU , sidiU , and skiU with the following semantics (following [8]):
• stateiU represents the current (internal) state of instance Π iU . The variables termiU
and acciU take boolean values indicating whether the instance has terminated or accepted, respectively. When an instance has terminated, it is done sending and receiving
messages. A terminated instance may also possibly accept; acceptance is meant to
represent (informally) that the instance does not detect any incorrect behavior.
• pidiU , the partner ID of instance ΠiU , is a set containing the identities of the players in
the group with whom ΠiU intends to establish a session key (including U itself). The
session ID sidiU provides a means of determining which instances are taking part in a
given execution of the protocol; its exact function is discussed further below. Finally,
skiU is the session key whose computation is the goal of the protocol.
For the most part, we will only explicitly refer to pid iU , sidiU , and skiU (the remaining variables
will be left implicit).
The adversary is assumed to have complete control over all communication in the network. An adversary’s interaction with the principals in the network (more specifically, with
the various instances) is modeled by the following oracles:
• Send(U, i, M ) — This sends message M to instance Π iU , and outputs the reply generated by this instance. Since protocols in the group setting may wait to receive messages
from multiple parties before generating any reply, we write Send(U, i, M 1 | · · · |M` ) to
7
denote sending messages M1 , . . . , M` to this instance (in response, the oracle generates
the reply the instance would generate in response to this sequence of messages).
We allow the adversary to prompt the unused instance Π iU to initiate the protocol
with partners U2 , . . . , Un by calling Send(U, i, U2 | · · · |Un ). In this case, pidiU is set to
{U, U2 , . . . , Un }.
• Execute(U1 , i1 , . . . , Un , in ) — This executes the protocol between the (unused) ini
stances {ΠUjj }1≤j≤n , and outputs the transcript of the execution. The pid of each
instance is set to {U1 , . . . , Un }. For simplicity, we will refer to such a query by
Execute(U1 , . . . , Un ) and assume the {Ui } are in lexicographic order.
• Reveal(U, i) — This outputs session key sk iU for a terminated instance ΠiU .
• Corrupt(U ) — This outputs the long-term secret key SK U of player U .
• Test(U, i) — This query is allowed only once, at any time during the adversary’s
execution. A random bit b is generated; if b = 1 the adversary is given sk iU , and if
b = 0 the adversary is given a random session key.
A passive adversary is given access to the Execute, Reveal, Corrupt, and Test oracles,
while an active adversary is additionally given access to the Send oracle. Although the
Execute oracle can be simulated via repeated calls to the Send oracle, allowing Execute
queries allows for a tighter definition of forward secrecy as well as a more exact concrete
security analysis.
Partnering. Partnering is defined via session IDs and partner IDs. The session ID sid iU for
instance ΠiU is a protocol-specified function of all communication sent and received by Π iU ;
for our purposes, we make the strictest definition and set sid iU equal to the concatenation of
all messages sent and received by ΠiU during its execution (where the messages are ordered by
round, and within each round lexicographically by the identities of the purported senders).
As we have already discussed above, pid iU is a set containing the identities of the players
in the group with whom ΠiU intends to establish a session key (including U itself), and
is defined when the adversary initiates execution of the protocol via either the Send or
Execute oracles. We say terminated instances Π iU and ΠjU 0 (with U 6= U 0 ) are partnered iff
(1) pidiU = pidjU 0 and (2) sidiU = sidjU 0 . Our definition of partnering is much simpler than
that of [17] since, in our protocols, all messages are sent to all other members of the group
taking part in the protocol.
We remark that two instances ΠiU , ΠjU of the same user U cannot be partnered (i.e.,
we require U 6= U 0 above). This definitional choice is motivated by our intuitive notion
of “partnering,” but has technical consequences as well. In particular, it implies that no
deterministic protocol can be secure with respect to the definitions given here; see the
discussion in Section 2.1.
Correctness. Of course, we wish to rule out “useless” protocols from consideration. In
the standard way, we require that for all U, U 0 , i, j such that sidiU = sidjU 0 , pidiU = pidjU 0 , and
acciU = accjU 0 = true, it is the case that skiU = skjU 0 6= null.
8
Freshness. Following [8, 17, 30], we define a notion of freshness appropriate for the goal
of forward secrecy. An instance ΠiU is fresh unless one of the following is true: (1) at some
point, the adversary queried Reveal(U, i) or Reveal(U 0 , j), where ΠjU 0 is partnered with ΠiU ;
or (2) a query Corrupt(V ) with V ∈ pidiU was asked before a query of the form Send(U 0 , j, ∗),
where U 0 ∈ pidiU . We remark that our definition of freshness results in a stronger definition
of forward secrecy than that given by [8].
Definitions of security. Event Succ occurs if the adversary A queries the Test oracle on
an instance ΠiU which is still fresh at the conclusion of the experiment and for which acc iU =
true, and A correctly guesses the bit b used by the Test oracle in answering this query.
def
The advantage of A in attacking protocol P is defined as Adv A,P (k) = |2 · Pr[Succ] − 1|.
We say protocol P is a secure group key exchange (KE) protocol if it is secure against a
passive adversary; that is, for any ppt passive adversary A it is the case that Adv A,P (k) is
negligible. We say protocol P is a secure authenticated group key exchange (AKE) protocol
if it is secure against an active adversary; that is, for any ppt active adversary A it is the
case that AdvA,P (k) is negligible.
-fs (t, q ) to be the maximum
To enable a concrete security analysis, we define Adv KE
ex
P
advantage of any passive adversary attacking P , running in time t, and making q ex calls to
the Execute oracle. Similarly, we define Adv PAKE-fs (t, qex , qs ) to be the maximum advantage
of any active adversary attacking P , running in time t, making q ex calls to the Execute
oracle, and making qs calls to the Send oracle.
Protocols without forward secrecy. The definitions above already incorporate the
requirement of forward secrecy since the adversary has unrestricted access to the Corrupt
oracle in each case. Our compiler may also be applied to KE protocols which do not achieve
AKE
forward secrecy. For completeness, we define Adv KE
P (t, qex ) and AdvP (t, qex , qs ) in a manner
completely analogous to the above, with the exception that the adversary in each case can
only access the Corrupt oracle immediately after the initialization stage but before it makes
any other oracle queries (this models “static” corruption of players before any executions
of the protocol are carried out). This is stronger (and more realistic) than the usual model
which simply disallows Corrupt queries altogether. 3
Authentication. We do not define any notion of explicit authentication or, equivalently,
confirmation that the other members of the group were the ones participating in the protocol
(such a definition may be derived by adapting the definition of [10] from the two-party
setting). However, it is not hard to see that any group AKE protocol resulting from our
compiler does indeed achieve explicit authentication.
2.1
Notes on the Definition
Deterministic and non-interactive protocols. We claim that for any deterministic
key exchange protocol P there exists an adversary A with Adv KE
P (t, 2) ≈ 1 (for some small
value of t). To see this, consider the adversary who queries Execute(U 1 , i, U2 , i, U3 , i) and
Execute(U1 , j, U2 , j, U3 , j), followed by Reveal(U1 , i) and Test(U1 , j). Since P is deterministic, we have that skiU1 = skjU1 and so the adversary can easily succeed with probability
3
We thank an anonymous referee for suggesting that we use this stronger model.
9
essentially 1 (assuming the session keys are long enough). Crucial to this attack is the fact
that ΠiU1 and ΠjU1 are not partnered (and so ΠjU1 is fresh); note that if we were to allow
two instances of the same user to be partnered then in fact all the relevant instances above
(i.e., ΠiU1 , ΠjU1 , . . ., ΠiU3 , ΠjU3 ) would be partnered (since they all have identical values of
sid and pid) and so the above attack would be ruled out.
A corollary of the above is that no non-interactive key-exchange protocol is secure with
respect to our definitions. We remark that there do exist non-interactive key-exchange
schemes satisfying weaker definitions of security.
Insider attacks. Although the definitions given above are standard for the analysis of
group key-exchange protocols [17, 15, 16, 14], there are a number of concerns they do not
address. For one, the definitions do not offer complete protection against malicious insiders
or users who do not honestly follow the protocol. The definitions also do not ensure any form
of “agreement” (in the sense of [27]); in fact, since the model gives the adversary complete
control over all communication in the network (i.e., in addition to delaying messages, the
adversary may modify messages or refuse to deliver them at all!) full-fledged agreement is
clearly impossible. Finally, the definitions do not protect against “denial of service” attacks
in which, for example, an honest instance might “hang” indefinitely; this is a consequence
of the adversary’s ability to refuse to deliver messages.
Some of these concerns can be addressed, at least partially, by making suitable changes to
existing protocols. For example, it seems that the following approach can be used following
any group AKE protocol to achieve confirmation that all (non-corrupted) participants have
computed a matching session key: after computing key sk, each player U i computes xi =
H(sk|sid|Ui ), signs xi , broadcasts xi and the corresponding signature, and computes the
“actual” session key sk0 = H(sk|sid|⊥) (here, H is modeled as a random oracle and “⊥”
represents some distinguished string); other players check the validity of the broadcast
values in the obvious way. Although this does not provide agreement (since an adversary
can still refuse to deliver messages to some of the participants), it does ensure the equality
of any keys generated by partnered instances. For further discussion about insider attacks
and a proof that a variant of the above approach is secure (in the standard model), see [31].
3
3.1
A Scalable Compiler for Group AKE Protocols
Description of the Compiler
We show here a compiler transforming any secure group KE protocol P to a secure group
AKE protocol P 0 (recall that a group KE protocol protects against a passive adversary only,
while a group AKE protocol additionally protects against an active adversary). Without
loss of generality, we assume that in the original protocol P each message sent by an instance
ΠiU includes the sender’s identity U as well as a sequence number which begins at 1 and
is incremented each time ΠiU sends a message (in other words, the j th message sent by
an instance ΠiU has the form U |j|m). Furthermore, because the KE protocol discussed in
Section 4 has this property, we assume for simplicity that every message of the original
protocol P is sent — via point-to-point links — to every member of the group taking part
in the execution of the protocol; that is, Π iU sends each message to all users in pid iU . (We
discuss briefly below the case when P does not satisfy this.) For simplicity, we refer to this
10
as “broadcasting a message” but stress that we do not assume a broadcast channel and, in
particular, an active adversary can deliver different messages to different members of the
group or refuse to deliver a message to some of the participants. (Also, if the adversary
learns the secret key of a party V via a Corrupt query, the adversary can send different
messages on behalf of V to different members of the group.)
Let Σ = (Gen, Sign, Vrfy) be a signature scheme which is strongly unforgeable under
adaptive chosen message attack (where “strong” means that an adversary is also unable
to forge a new signature for a previously-signed message), and let Succ Σ (t) denote the
maximum advantage of any adversary running in time t in forging a new message/signature
pair. We assume that the signature length is independent of the length of the message
signed; this is easy to achieve in practice by hashing the message (using a collision-resistant
hash function) before signing. Given protocol P as above, our compiler constructs a new
protocol P 0 as follows:
1. During the initialization phase, each party U ∈ P generates the verification/signing
keys (P KU0 , SKU0 ) by running Gen(1k ). This is in addition to any keys (P K U , SKU )
generated as part of the initialization phase for P .
2. Let U1 , . . . , Un be the identities (in lexicographic order) of users wishing to establish
a common key, and let U = {U1 , . . . , Un }. Each user Ui begins by choosing a random
nonce ri ∈ {0, 1}k and broadcasting Ui |0|ri (note we assign this message the sequence
number “0”). After receiving the initial broadcast message from all other parties,
each instance ΠjU (for U ∈ U) sets noncesjU = U1 |r1 | · · · |Un |rn and stores this as part
of its state information.
3. The members of the group now execute P with the following changes:
• Whenever instance ΠiU is supposed to broadcast U |j|m as part of protocol P , the
instance computes σ ← SignSKU0 (j|m|nonces iU ) and then broadcasts U |j|m|σ.
• When instance ΠiU receives message V |j|m|σ, it checks that: (1) V ∈ pid iU \ {U },
(2) j is the next expected sequence number for messages from V , and, finally,
(3) VrfyP KV0 (j|m|nonces iU , σ) = 1. If any of these are untrue, ΠiU aborts the
protocol and sets acciU = false and skiU = null. Otherwise, ΠiU continues as it
would in P upon receiving message V |j|m.
4. Assuming it has not already aborted the protocol, each instance computes the session
key as in P .
In case messages in P are not broadcast to the entire group, step 3 in the above may be
modified as follows: Whenever instance Π iU is supposed to send U |j|m to player U 0 , the instance computes σ ← SignSKU0 (j|m|U 0 |noncesiU ) and then sends U |j|m|σ to U 0 . (Verification
is changed in the obvious way.)
3.2
Proof of Security
We now prove that the compiler of the previous section converts any group KE protocol
into a group AKE protocol. This holds regardless of whether or not the original protocol
11
achieves forward secrecy (of course, if the original protocol does not achieve forward secrecy
then the compiled one does not achieve it either).
Before giving the formal proof, we present a high-level overview. In the proof, we
will transform any active adversary A 0 attacking protocol P 0 into a passive adversary A
attacking protocol P . A natural first attempt is to have A query its Execute oracle for
each unique value of nonces defined throughout the course of the experiment. This results
in a transcript T of an execution of P , which can then be “patched” by A (by generating
appropriate signatures) to yield a transcript T 0 of an execution of P 0 . The appropriate
messages of T 0 can then be returned to A0 as it makes the relevant Send queries. We
would then like to claim that this yields a “good” simulation since, roughly speaking, A 0 is
“limited” to sending messages already contained in T 0 (because A0 cannot forge signatures
and, except with negligible probability, nonces do not repeat).
Unfortunately, such an approach does not quite work since A 0 might make a Corrupt
query and then send messages that are not contained in the “patched” transcript T 0 . That
is, A0 might query Send1 (U, `, ∗) and then, at some later point in time, corrupt a player
V ∈ pid`U . This will allow A0 to sign messages on behalf of V and therefore to send arbitrary
messages to, e.g., Π`U . Note that although Π`U is no longer fresh (and so A need not be
concerned with the secrecy of the session key generated by that instance), the messages
output by this instance must still be properly simulated by A. Unfortunately, there does
not seem to be any general way that A can perform such a simulation.
To avoid this potential problem, we adopt the following modified approach (informally):
for all but (at most) one value of nonces, adversary A will respond to the Send queries of
A0 by running protocol P 0 itself. A will be able to perform this efficiently by making the
necessary Corrupt queries to obtain any private information needed to execute the underlying
protocol. For the (at most one) value of nonces that A does not simulate on its own, A
will use its Execute oracle to obtain a transcript of P and simulate an execution of P 0 (as
discussed above). In essence, A is guessing that A 0 will eventually issue a Test query for an
instance associated with this singular value of nonces, which degrades the concrete security
by a factor of roughly qs . (We remark that when forward secrecy is not a concern the above
issue does not arise and so a tighter security reduction is possible.) A formal proof follows.
Theorem 1 If P is a secure group KE protocol achieving forward secrecy, then P 0 given
by the above compiler is a secure group AKE protocol achieving forward secrecy. Namely:
qs
-fs (O(t0 ), 1)
· AdvKE
P
2
q 2 + qex qs
,
+ |P| · SuccΣ (O(t0 )) + s k
2
-fs (t, q , q ) ≤ AdvKE-fs (O(t0 ), q ) +
AdvPAKE
0
ex s
ex
P
where t0 represents the maximum time required to execute an entire experiment involving an
adversary running in time t attacking protocol P 0 .
For the case when P may not achieve forward secrecy, we have:
KE
0
AdvAKE
P 0 (t, qex , qs ) ≤ AdvP (O(t ), qex +
q 2 + qex qs
qs
) + |P| · SuccΣ (O(t0 )) + s k
,
2
2
where t0 is as above.
12
Proof In the proof, we focus on the case when P achieves forward secrecy and discuss
briefly at the end the case when it does not. Given an active adversary A 0 attacking P 0 , we
will construct a passive adversary A attacking P ; relating the success probabilities of A 0
and A gives the stated result. Before describing A, we first define events Forge and Repeat
and bound their respective probabilities. Let Forge be the event that A 0 outputs a new,
valid message/signature pair with respect to the public key P K U0 of some user U ∈ P before
querying Corrupt(U ). (More formally, Forge is the event that A 0 makes a query of the form
Send(V, i, U |j|m|σ) where Vrfy P KU0 (j|m|nonces iV , σ) = 1 but σ was not previously output
by any instance of the as-yet-uncorrupted player U as a signature on j|m|nonces iV .) It is
straightforward to show that PrA0 ,P 0 [Forge] ≤ |P| · SuccΣ (O(t0 )).
Let Repeat be the event that a nonce used by any user in response to a Send query
was used previously by that user (in response to either an Execute or a Send query). It is
+qs2
.
immediate that PrA0 ,P 0 [Repeat] ≤ qs qex
k
2
Informally, we will consider separately the cases when A 0 asks its Test query to an
instance initialized via an Execute query, and the case when A 0 asks its Test query to an
instance initialized via a Send query. More formally, let Ex be the event that A 0 makes its
query Test(U, i) to an instance ΠiU such that A0 never made a query of the form Send(U, i, ∗)
def
(and therefore did make an Execute query involving this instance). We also define Se = Ex.
We will separately bound the probabilities of Pr A0 ,P 0 [Succ ∧ Ex] and PrA0 ,P 0 [Succ ∧ Se] by
constructing appropriate passive adversaries A 1 and A2 (each attacking P ).
The initial behavior of adversaries A 1 /A2 is the same, and so we describe it once and for
all. Recall that as part of the initial setup, adversary A 1 /A2 is given public keys {P KU }U ∈P
if any are defined as part of protocol P . First, A 1 /A2 obtains all secret keys {SKU }U ∈P
using multiple Corrupt queries. Next, A 1 /A2 runs Gen(1k ) to generate keys (P KU0 , SKU0 ) for
each U ∈ P. The set of public keys {P KU0 , P KU }U ∈P is then given to A0 . A1 /A2 then runs
A0 and simulates the oracle queries of A 0 in the manner described below. We stress that
A1 /A2 now has the secret information of all parties in the network; yet, since P provides
forward secrecy, this does not affect the security of P against passive attacks. 4
We first describe the simulation provided by A 1 . At a high level, A1 simply runs A0
as a subroutine and simulates the Execute queries of A 0 using queries to its own Execute
oracle. All Send oracle queries of A 0 are answered by having A1 execute protocol P 0 itself;
again, the key point is that A1 can do this since it has the secret keys of all the parties. If
event Se occurs, A1 aborts and outputs a random bit; otherwise, it outputs whatever bit is
eventually output by A0 . We now describe the simulation in more detail.
Execute queries. When A0 makes a query Execute(U1 , . . . , Un ) (with the U ’s assumed to
be in lexicographic order), A1 sends the same query to its Execute oracle and receives in
return a transcript T of an execution of P . Next, A 1 chooses random r1 , . . . , rn ∈ {0, 1}k
and sets nonces = U1 |r1 | · · · |Un |rn . To simulate a transcript T 0 of an execution of P 0 , A1
sets the initial messages of T 0 to {Ui |0|ri }1≤i≤n . Furthermore, for each message U |j|m
in transcript T , algorithm A1 computes signature σ ← SignSKU0 (j|m|nonces) and places
U |j|m|σ in T 0 . When done, the complete transcript T 0 is given to A0 .
4
Indeed, our definition of freshness ensures that all instances initialized by an Execute query are (potentially) fresh even if all parties involved have been corrupted.
13
Send queries. As discussed earlier, when A 0 makes a Send query the response is computed
by having A1 execute protocol P 0 itself (recording state as necessary).
Reveal/Test queries. Any Reveal queries made by A 0 to instances initiated via an Execute query are answered by having A 1 make the appropriate query to its own Reveal
oracle. Specifically, when A0 queries Reveal(U, `) for an instance for which acc `U = true,
def
let T 0 = sid`U be the transcript of the execution of P 0 for instance Π`U . Let T denote the
underlying transcript of protocol P that is contained within transcript T 0 , obtained by simply “stripping” the signatures from T 0 . Assuming Π`U was initiated via an Execute query
made by A0 , there exists an Execute query made by A 1 which resulted in this transcript;
A1 makes a Reveal query to the appropriate instance belonging to the lexicographically-first
user involved in this query, and then returns the result to A 0 .
Reveal queries made by A0 to instances initiated via a Send query are answered in the
obvious way by A1 (in particular, A1 simply computes the appropriate session key itself).
When A makes its Test query Test(U, i), A 1 checks whether A0 has ever made a query
of the form Send(U, i, ∗) (i.e., whether event Se has occurred). If so, A 1 aborts and outputs
a random bit. Otherwise (namely, if event Ex has occurred), A 1 issues the appropriate Test
query to its own oracle, returns the result to A 0 , and outputs whatever A0 outputs.5
The simulation provided by A1 is perfect (even if Repeat or Forge occurs) unless A 1
aborts due to the occurrence of event Se. Thus:
PrA1 ,P [Succ] = PrA0 ,P 0 [Succ ∧ Ex] +
1
2
· PrA0 ,P 0 [Se].
(1)
-fs (O(t0 ), q ) because A makes at most q
Furthermore, |2 · PrA1 ,P [Succ] − 1| ≤ AdvKE
ex
1
ex
P
queries to its Execute oracle.
Before describing A2 , we introduce some terminology. Denote the initial Send query to
an instance (denoting a request for protocol initiation) by Send 0 ; note that for any particular
instance Π`U this query always has the form Send0 (U, `, U1 | · · · |Un ). Denote the second Send
query to an instance by Send1 ; for an instance Π`U as before, we may assume without loss of
generality that this query has the form Send 1 (U, `, (U1 |0|r1 )| · · · |(Un |0|rn )) with ri ∈ {0, 1}k
for all i and the {Ui } appearing in lexicographic order. Following a Send 1 query to instance
Π`U , define nonces`U = U1 |r1 | · · · |U |rU` | · · · |Un |rn where rU` is the nonce generated by Π`U and
the position of U |rU` is chosen so as to maintain the lexicographic ordering of the U ’s.
We now describe A2 . At a high level, A2 guesses that Se will occur and furthermore
guesses in advance the first Send1 query corresponding to the eventual Test query of A 0 .
This Send query to some instance Π`U (and all Send queries to instances partnered with
Π`U ) will be simulated by having A2 make the appropriate query to its Execute oracle to
obtain a transcript T , “patch” T (by generating appropriate signatures) to obtain a modified
transcript T 0 , and then use T 0 in the natural way (i.e., send the appropriate message from
T 0 in response to the Send queries of A0 ). All other Send queries of A0 (as well as all Execute
queries) will be answered by having A 2 simulate execution of P 0 itself. If Ex, Forge, or
5
There is a slight subtlety here, in that A1 must make sure that its Test query is made to a fresh instance
(and it is possible that two Execute queries of A1 result in the same transcript T ). This is ensured by always
having A1 direct its Reveal/Test queries to an appropriate instance of the lexicographically-first user involved
in the corresponding Execute query, using the fact that two instances associated with the same user cannot
be partnered (by definition).
14
Repeat occurs, A2 aborts and outputs a random bit; otherwise, it makes the appropriate
Test query, forwards the result to A 0 , and outputs whatever A0 outputs. The key point here
is that as long as neither Forge nor Repeat occurs, A 0 is (informally) “limited” to sending
to Π`U (and partnered instances) messages contained in T 0 ; adversary A0 can do otherwise
only if it queries Corrupt(V ) for some V ∈ pid `U , but then Π`U is no longer fresh (we assume
without loss of generality that A0 only makes a Test query to a fresh instance, since it cannot
succeed otherwise).
We now provide the details. First, A 2 chooses a random α ∈ {1, . . . , qs /2} (note that
qs /2 is an upper bound on the number of Send 1 queries made by A0 ). It then simulates
the oracle calls of A0 as described below (to aid the simulation, A 2 maintains a list Nonces
whose function will become clear). A 2 aborts immediately (and outputs a random bit) if
Repeat or Forge occurs.
Execute queries. All Execute queries of A 0 are answered by having A2 execute protocol
P 0 itself (A2 can do this efficiently because it has the secret keys of all players), resulting
in a value nonces and a transcript T 0 . A2 stores (nonces, ∅) in Nonces and returns T 0 to A0 .
Send queries. These queries are handled as follows:
• On query Send0 (U, `, ∗), A2 chooses random rU` ∈ {0, 1}k and replies with U |0|rU` .
• On the αth Send1 query (say, to an instance Π`U ), the values of pid`U and nonces`U
are defined (by the previous Send0 query to this instance and the current query,
respectively). A2 first looks in Nonces for an entry of the form (nonces `U , ∅); if such
an entry exists, A2 aborts and outputs a random bit. Also, if A 0 had previously
asked a Corrupt query to any user V ∈ pid `U then A2 aborts and outputs a random
bit. Otherwise, A2 queries Execute(pid`U ), receives in return a transcript T , and stores
(nonces`U , T ) in Nonces. A2 then finds the message of the form U |1|m in T , computes
the signature σ ← SignSKU0 (1|m|nonces `U ), and returns U |1|m|σ to A0 .
• On any other Send query to an instance Π iU , A2 looks in Nonces for an entry of the
form (noncesiU , T ). If no such entry exists, A2 stores (nonces iU , ∅) in Nonces. In this
case or if T = ∅, A2 responds by executing protocol P 0 itself ; recall again that A2 can
do this since it has the secret information of all players. On the other hand, if T 6= ∅
this implies that A2 has received T in response to its single Execute query. Now, A 2
verifies correctness of the incoming messages as in the specification of the compiler
and terminates the instance if verification fails. Additionally, A 2 aborts (and outputs
a random bit) if A0 had previously asked a Corrupt query to any user V ∈ pid iU .
Otherwise, A2 locates the appropriate message U |j|m in transcript T , computes the
signature σ ← SignSKU0 (j|m|nonces `U ), and replies to A0 with U |j|m|σ.
Corrupt queries. These are answered in the obvious way.
Reveal queries. When A0 queries Reveal(U, `) for a terminated instance Π `U , the value of
nonces`U is defined. A2 finds an entry (nonces`U , T ) in Nonces and aborts (and outputs a
random bit) if T 6= ∅. Otherwise, if T = ∅ it means that A 2 has executed protocol P 0 itself;
A2 can therefore compute the appropriate session key and return it to A 0 .
15
Test query. When A0 queries Test(U, i) for a terminated instance, A 2 finds an entry
(nonces`U , T ) in Nonces. If T = ∅, then A2 aborts and outputs a random bit. Otherwise, A 2
makes the appropriate Test query (for one of the instances it activated via its single Execute
query) and returns the result to A0 .
Let Bad denote Forge ∪ Repeat, and recall that A 2 aborts immediately if Bad occurs.
From the above simulation, we may also note that A 2 aborts if Ex occurs (since in this case
T = ∅ when A0 makes its Test query). On the other hand, if neither Bad nor Ex occur, then
A2 does not abort (i.e., it correctly guesses the value of α) with probability exactly 2/q s .
Furthermore, the simulation is perfect in case A 2 does not abort. Putting this together
(and letting Guess denote the probability that A 2 correctly guesses α) implies
PrA2 ,P [Succ] =
2
qs
· PrA0 ,P 0 [Succ ∧ Se ∧ Bad] +
1
2
· Pr[Ex ∨ Guess ∨ Bad].
(2)
-fs (O(t0 ), 1) since A makes only a single query
Furthermore, |2 · PrA2 ,P [Succ] − 1| ≤ AdvKE
2
P
to its Execute oracle.
Using Eqs. (1) and (2) we obtain (in the following, Pr[·] always denotes Pr A0 ,P 0 [·]):
2 · PrA0 ,P 0 [Succ] − 1
= 2 · Pr[Succ ∧ Ex] + Pr[Succ ∧ Se ∧ Bad] + Pr[Succ ∧ Se ∧ Bad] − 12 -fs (O(t0 ), q ) + 2 · Pr[Succ ∧ Se ∧ Bad] + Pr[Succ ∧ Se ∧ Bad] − 1 Pr[Se]
≤ AdvKE
ex
P
2
qs
KE-fs
KE-fs
0
0
≤ AdvP (O(t ), qex ) + 2 · AdvP (O(t ), 1)
+ 2 · Pr[Succ ∧ Se ∧ Bad] − Pr[Se] − q2s Pr[Ex ∨ Bad] − ( q2s − 1) Pr[Se ∧ Bad] + q2s ,
using the fact that
Pr[Ex ∨ Guess ∨ Bad] = Pr[Ex ∨ Bad] + Pr[Guess ∧ Se ∧ Bad]
2
= Pr[Ex ∨ Bad] + (1 − ) · Pr[Se ∧ Bad] .
qs
Continuing, and using Pr[Ex ∨ Bad] + Pr[Se ∧ Bad] = 1, we have:
2 · PrA0 ,P 0 [Succ] − 1
-fs (O(t0 ), q ) + qs · AdvKE-fs (O(t0 ), 1)
≤ AdvKE
ex
P
2
P
+ 2 · Pr[Succ ∧ Se ∧ Bad] − Pr[Se] + Pr[Se ∧ Bad] = AdvKE-fs (O(t)0 , q ) + qs · AdvKE-fs (O(t0 ), 1) + |2 · Pr[Succ ∧ Se ∧ Bad] − Pr[Se ∧ Bad]|
≤
ex
P
KE-fs
0
AdvP (O(t ), qex )
+
2
qs
2
·
P
KE-fs
AdvP (O(t0 ), 1)
+ Pr[Bad].
Since Pr[Bad] ≤ Pr[Forge] + Pr[Repeat], this gives the desired result.
For the case when P does not achieve forward secrecy, we can construct an adversary
A that “merges” the behavior of A1 and A2 ; furthermore, A will not have to guess (as A 2
does) the first Send1 query corresponding to the eventual Test query of A 0 . In more detail:
A issues Corrupt queries in exactly the same way that A 1 /A2 do (note that all these queries
are made at the outset, before any other oracle queries are made). Then A simulates the
experiment for A0 in the following way: Execute queries of A 0 are handled as A1 does; Send
16
queries of A0 when no members of pid are corrupted are all handled as A 2 does for Send
queries corresponding to its “guess”; and Send queries of A 0 when some member of pid is
corrupted are handled by having A run the protocol itself. (The key point is that A does
not have to worry that A0 will later corrupt some player since all of the Corrupt queries
of A0 must now be made at the outset.) A aborts (and outputs a random bit) if either
Forge or Repeat occurs; otherwise, A outputs whatever A 0 outputs. Since A makes at most
qex + qs /2 queries to its Execute oracle, the claimed bound follows.
We remark that the above theorem is a generic result that applies to the invocation of
the compiler on an arbitrary group KE protocol P . For specific protocols, a better exact
security analysis may be obtainable.
4
A Constant-Round Group KE Protocol
In this section, we describe an efficient, two-round group KE protocol which achieves forward secrecy. Applying the compiler of the previous section to this protocol immediately
yields (via Theorem 1) an efficient, three-round group AKE protocol achieving forward secrecy. The security of the present protocol is based on the decisional Diffie-Hellman (DDH)
assumption [25], which we describe now. Let be a cyclic group of prime order q and let
g be a fixed generator of . Informally, the DDH problem is to distinguish between tuples
of the form (g x , g y , g xy ) (called Diffie-Hellman tuples) and (g x , g y , g z ) where z ∈ q \ {xy}
is random6 (called random tuples);
is said to satisfy the DDH assumption if these two
distributions are computationally indistinguishable. More formally, define Adv ddh (t) as the
maximum value, over all distinguishing algorithms D running in time at most t, of:
Pr[x, y ← q : D(g x , g y , g xy ) = 1] − Pr[x, y ← q; z ← q \ {xy} : D(g x , g y , g z ) = 1] ,
satisfies
where we assume that g is fixed and known to algorithm D. Given the above,
the DDH assumption if Adv ddh (t) is “small” for “reasonable” values of t. (This definition
is appropriate for a concrete security analysis; for asymptotic security one would consider
an infinite sequence of groups G = { k }k≥1 and require that Advddh
(t(k)) be negligible in k
k
for all polynomials t.) One standard way to generate a group assumed to satisfy the DDH
assumption is to choose primes p, q such that p = βq + 1 and let be the subgroup of order
q in ∗p. However, other choices of are also possible.
The protocol presented here is essentially the protocol of Burmester and Desmedt [19],
except that here is a cyclic group of prime order assumed to satisfy the DDH assumption
(in [19], was taken to be an arbitrary cyclic group assumed to satisfy the computational
Diffie-Hellman (CDH) assumption). Our work was originally motivated by the fact that
no proof of security appears in the proceedings version of [19]; furthermore, subsequent
work in this area (e.g., [17, 14]) has implied that the Burmester-Desmedt protocol was
“heuristic” and had not been proven secure. Subsequent to our work, however, we became
aware that a proof of security for a variant of the Burmester-Desmedt protocol appears in
the pre-proceedings of Eurocrypt ’94 [18] (see also [20]). Even so, we note the following:
6
Our definition is slightly non-standard in that we restrict random tuples to have z =
6 xy. Since this
occurs with probability 1/q (for randomly-chosen z), our modification has essentially no consequence. We
introduce the modification because it simplifies the proof of Theorem 2 somewhat.
17
• Burmester and Desmedt show only that an adversary cannot compute the entire
session key; in contrast, we show that the session key is indistinguishable from random.
• Burmester and Desmedt give a proof of security only for an even number of participants n. They recommend using an asymmetric modified protocol (in which one
player simulates the actions of two players) for the case of n odd.
• Finally, Burmester and Desmedt make no effort to optimize the concrete security of
the reduction (and do not achieve a tight reduction to the CDH problem); indeed,
this issue was not generally considered at that time.
For these reasons, we believe it is important to present a full proof of security for this
protocol (taking care to achieve as tight a security reduction as possible) in a precise and
widely-accepted model.
As required by our compiler, the protocol below ensures that players send every message
to all members of the group via point-to-point links; although we refer to this as “broadcasting” we stress that no broadcast channel is assumed (in any case, the distinction is
moot since we are dealing here with a passive adversary). For simplicity, in describing our
and a generator g ∈
have been fixed in advance and
protocol we assume a group
are known to all parties in the network; however, this assumption can be avoided at the
expense of an additional round in which the first player simply generates and broadcasts
these values (that this remains secure follows from the fact that we are now considering a
passive adversary). When n players U 1 , . . . , Un wish to generate a session key, they proceed
as follows (the indices are taken modulo n so that player U 0 is Un and player Un+1 is U1 ):
Round 1 Each player Ui chooses a random ri ∈
q
and broadcasts zi = g ri .
Round 2 Each player Ui broadcasts Xi = (zi+1 /zi−1 )ri .
Key computation Each player Ui computes their session key as:
n−2
ski = (zi−1 )nri · Xin−1 · Xi+1
· · · Xi+n−2 .
It may be easily verified that all users compute the same key g r1 r2 +r2 r3 +···+rn r1 .
Note that each user computes only three full-length exponentiations in since n q in
practice (typically, q ≈ 2160 while n 232 ). We do not explicitly include sender identities
and sequence numbers as required by the compiler of the previous section; however, as
discussed there, it is easy to modify the protocol to include this information.
Theorem 2 The above protocol is a secure group KE protocol achieving forward secrecy.
Namely:
-fs (t, q ) ≤ 4 · Advddh (t0 ) + 2 · qex ,
AdvKE
ex
P
| |
where t0 = t + O(|P| · qex · texp ) and texp is the time to perform exponentiations in
.
Proof The overall structure of our proof is as follows: assume for now an adversary
who eavesdrops on a single execution of the protocol, and consider the joint distribution of
(T, sk), where T = ({zi }, {Xi }) is a transcript of an execution of the protocol and sk is the
18
resulting session key; we will refer to this distribution as Real. We first show that, under the
DDH assumption, no efficient adversary can distinguish between the distributions Real and
Fake, where Fake is a distribution in which (as in the case of Real) all the {z i } are uniformly
to the case of Real) all the {X i } are uniformly
distributed in , but in which (in contrast Q
distributed in
subject to the constraint i Xi = 1 (in this informal discussion, we do
not describe the distribution of the session key in Fake). We then show that in distribution
Fake, the value of the session key is uniformly distributed in , independent of the value
of the transcript. Security of the original protocol, at least for an adversary making only
a single Execute query, follows immediately. The case of an adversary making multiple
Execute queries can be dealt with using a straightforward hybrid argument, but we show
an improved analysis resulting in a tighter concrete security reduction.
A natural approach for the first step described above (namely, showing that Real and
Fake are indistinguishable) is to proceed via a sequence of n hybrid distributions in which
(roughly speaking) one Xi at a time is replaced with a random group element (subject
to the above-mentioned constraint). To obtain a tighter concrete security reduction, we
will instead use the random self-reducibility [38, 5] of the DDH assumption. Due to the
dependence between the {Xi } we were unable to show a “one step” reduction. Instead, we
proceed in two steps via an intermediate distribution Fake 0 , where each step modifies the
distribution of a subset of the {Xi }. We now give the details.
def
Let ε(·) = Advddh (·). We consider first an adversary making a single Execute query and
-fs (t, 1) ≤ 4 · ε(t00 ), where t00 = t + O(n · t ) and n is the number of parties
show that AdvKE
exp
P
involved in the Execute query. We then discuss how to extend the proof for the case of
multiple Execute queries without affecting the tightness of the security reduction.
Since there are no public keys, we simply ignore Corrupt queries. Assume an adversary
A making a single query Execute(U1 , . . . , Un ). We stress that the number of parties n is
chosen by the adversary; since the protocol is symmetric and there are no public keys,
however, the identities of the parties are unimportant for our discussion.
Let n = 3s + k where k ∈ {3, 4, 5} and s ≥ 0 is an integer (we assume n > 2 since
the protocol reduces to the standard Diffie-Hellman protocol [25] for the case n = 2). A
detailed proof requires a slightly different analysis for each of the possible values of k and
depending on whether or not s = 0; we describe here the proof for k = 5, s > 0 (proofs for
the other cases follow using similar arguments). Considering an execution of the protocol
as described above, define Γi,i+1 = g ri ri+1 and note that
zi+1 ri
g ri ri+1
Γi,i+1
def
Xi =
.
= ri−1 ri =
zi−1
g
Γi−1,i
Furthermore, the (common) session key is equal to
def
sk1 = (zn )nr1 X1n−1 · · · Xn−1 = (Γn,1 )n X1n−1 · · · Xn−1 .
Thus, in a real execution of the protocol the distribution of the transcript T and the resulting
19
session key sk is given by the following, denoted Real:

r1 , . . . , r n ← q ;



r1
r2
rn


 z1 = g , z 2 = g , . . . , z n = g ;
def
r
r
r
r
1
2
2
3
Γ1,2 = g
, Γ2,3 = g
, . . . , Γn−1,n = g rn−1 rn , Γn,1 = g rn r1 ;
Real =

Γ
Γ
Γn,1

X1 = Γ 1,2 , X2 = Γ2,3
, . . . , Xn = Γn−1,n
;


1,2

 T = (z n,1
n
n−1 · · · X
1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
n−1
:
(T, sk)







.






We next define a distribution Fake 0 in the following way: random exponents {r i } are
selected as in the case of Real. The {z i } are also computed exactly as in Real. However, the
values Γ1,2 , Γ2,3 , Γ3,4 , as well as every value Γj,j+1 with j ≥ 6 a multiple of 3 (i.e., every third
subsequent Γ value), are now chosen uniformly at random from (rather than computed
as in Real). Formally (recall n = 3s + 5 and s ≥ 1):


r1 , . . . , r n ← q ;






r
r
r
n
1
2


z1 = g , z 2 = g , . . . , z n = g ;






r
r


4
5
;
Γ
=
g
;


Γ
,
Γ
,
Γ
←
4,5
1,2
2,3
3,4








for
i
=
1
to
s:


0 def
let j = 3i + 3
Fake =
:
(T, sk) .


r
r
r
r


 Γj−1,j = g j−1 j , Γj,j+1 ← , Γj+1,j+2 = g j+1 j+2 ;





r
r
n 1


Γ
=
g
;


n,1




Γ2,3
Γn,1
Γ1,2




,
X
=
,
.
.
.
,
X
=
;
X
=
2
n
1


Γ
Γ
Γ
n,1
1,2
n−1,n




n
n−1
T = (z1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
· · · Xn−1
Claim
For any algorithm A running in time t we have:
Pr[(T, sk) ← Real : A(T, sk) = 1] − Pr[(T, sk) ← Fake 0 : A(T, sk) = 1] ≤ ε(t00 ) + 1 .
| |
Proof Given algorithm A, consider the following algorithm D which takes as input a
triple (g1 , g2 , g3 ) ∈ 3 (where furthermore a generator g ∈ is fixed): D generates (T, sk)
according to distribution Dist0 , runs A(T, sk), and outputs whatever A outputs. Distribution
Dist0 is defined as follows (note that this distribution depends on g 1 , g2 , g3 ):


α0 , β0 , α00 , β00 , r0 , {αi , βi , γi , ri }si=1 ← q;




0




α0 g β0 , z = g , z = g , z = g α00 g β0 , z = g r0 ;


z
=
g
5
2
1
3
2
4
1


1
2


0
0


α 0 β0
β0
r
α


0
0


;
,
Γ
=
z
g
g
,
Γ
=
g
,
Γ
=
g
Γ
=
g
4,5
2,3
3
3,4
1,2


4
3
2
1
3






for
i
=
1
to
s:




 let j = 3i + 3

def
0
:
(T,
sk)
Dist =
.
γi
α i βi
ri


 zj = g g1 , zj+1 = g g2 , zj+2 = g ;



ri−1


α i β i γi
ri




 Γj−1,j r= zj , Γj,j+1 = g1 g3 zj+1 , Γj+1,j+2 = zj+1 ;



s




;
Γ
=
z
n,1
1




Γ1,2
Γ2,3
Γn,1




X
=
,
X
=
,
.
.
.
,
X
=
;


1
2
n
Γ
Γ
Γ


n,1
1,2
n−1,n


n
n−1
T = (z1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
· · · Xn−1
We first examine the above distribution when (g 1 , g2 , g3 ) is chosen uniformly at random
from the set of Diffie-Hellman tuples (i.e., g 1 = g x , g2 = g y , and g3 = g xy ); we refer to the
20
resulting distribution as Dist0ddh :
Dist0ddh =


































x, y, α0 , β0 , α00 , β00 , r0 , {αi , βi , γi , ri }si=1 ← q;


0
0


z1 = g α0 g yβ0 , z2 = g x , z3 = g y , z4 = g α0 g xβ0 , z5 = g r0 ;


0
0

r0
xα
xyβ
xy
yα
xyβ

0
0
0
0

Γ1,2 = g g
, Γ2,3 = g , Γ3,4 = g g
, Γ4,5 = z4 ;




for i = 1 to s:



let j = 3i + 3
,
:
(T,
sk)
γ
x
α
yβ
r
i
i
i
i
zj = g g , zj+1 = g g , zj+2 = g ;


ri−1
γ

r
i
xα
xyβ
i

Γj−1,j = zj , Γj,j+1 = g i g i zj+1 , Γj+1,j+2 = zj+1 ;



rs

Γn,1 = z1 ;



Γ2,3
Γn,1
Γ1,2


X1 = Γn,1 , X2 = Γ1,2 , . . . , Xn = Γn−1,n ;



n
n−1
T = (z1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
· · · Xn−1
where all we have done is substitute g 1 = g x , g2 = g y , and g3 = g xy (for x, y ∈ q chosen at
random at the beginning of the experiment) into the definition of Dist 0 . We claim that Dist0ddh
is identical to Real. To see this, first notice that {X i }, T, and sk are computed identically in
both, and so it suffices to look at the distribution of the z’s and the Γ’s. It is not hard to see
that in Dist0ddh , the {zk }nk=1 are uniformly and independently distributed in , exactly as in
Real. It remains to show that for all k ∈ {1, . . . , n}, the tuple (z k , zk+1 , Γk,k+1 ) in Dist0ddh is
a Diffie-Hellman tuple (as in Real). This can be verified by inspection. We conclude that:
Pr[x, y ←
q
: D(g x , g y , g xy ) = 1] = Pr[(T, sk) ← Real : A(T, sk) = 1].
(3)
We now examine distribution Dist0 in case (g1 , g2 , g3 ) is chosen uniformly from the space
of random tuples (we refer to the resulting distribution as Dist 0rand ):
Dist0rand =


































x, y, α0 , β0 , α00 , β00 , r0 , {αi , βi , γi , ri }si=1 ← q; z ← q \ {xy};


0
0


z1 = g α0 g yβ0 , z2 = g x , z3 = g y , z4 = g α0 g xβ0 , z5 = g r0 ;


0
0

r0
zβ
z
yα
zβ
xα

0
0
0
0
Γ1,2 = g g , Γ2,3 = g , Γ3,4 = g g , Γ4,5 = z4 ;





for i = 1 to s:



let j = 3i + 3
:
(T,
sk)
,
γ
x
α
yβ
r
i
i
i
i
zj = g g , zj+1 = g g , zj+2 = g ;


ri−1
γ

r
i
xα
zβ
i

Γj−1,j = zj , Γj,j+1 = g i g i zj+1 , Γj+1,j+2 = zj+1 ;



rs

Γn,1 = z1 ;



Γ1,2
Γ2,3
Γn,1


X1 = Γn,1 , X2 = Γ1,2 , . . . , Xn = Γn−1,n ;



n
n−1
T = (z1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
· · · Xn−1
where all we have done is substitute g 1 = g x , g2 = g y , and g3 = g z (for x, y, z chosen
at the beginning of the experiment) into the definition of Dist 0 . We claim that Dist0rand
is statistically close to Fake 0 . As before, we need only examine the distribution of the
z’s and the Γ’s. It is again not hard to see that in Dist 0rand the {zk } are uniformly
and independently distributed in , as in Fake 0 . By inspection, we see also that Γ4,5 ,
{Γj−1,j , Γj+1,j+2 }j=3i+3; i=1,...,s , and Γn,1 are distributed identically in Dist0rand and Fake0 (in
each case, these values are completely determined by the {z k }). It only remains to show
that in Dist0rand , the distribution on each of the remaining Γ’s is statistically close to the
21
uniform one. Take Γj,j+1 (for some i ∈ {1, . . . , s} and j = 3i + 3) as a representative example. Since αi , βi are used only in computing zj+1 and Γj,j+1, the joint distribution of zj+1 ,
Γj,j+1 — conditioned on arbitrary values of all other Γ’s and z’s — is given by:
logg zj+1 = αi + y · βi
logg Γj,j+1 = x · αi + z · βi + γi logg zj+1
= (x + 1) · αi + (z + y) · βi ,
where αi , βi are chosen uniformly and independently from q. Using the fact that z 6= xy,
the above (viewed as linear equations in the variables α i , βi ) are linearly independent. It
follows that Γj,j+1 is uniformly distributed in , independent of z j+1 and everything else.
(We remark that this argument is essentially the same as that used in [38] and [5, Lemma
5.2].) A similar argument applies for Γ 1,2 and Γ3,4 . The only value left is Γ2,3 . Because of
our restriction on the choice of z, the value log g Γ2,3 in Dist0rand is distributed uniformly in
1
q \ {xy}. This is statistically close (within a factor of | | ) to the distribution of log g Γ2,3
0
in Fake . We conclude that:
Pr[x, y ←
q; z
←
q
\ {xy} : D(g x , g y , g z ) = 1]
≥ Pr[(T, sk) ← Fake0 : A(T, sk) = 1] −
1
| |
.
The running time of D is t00 , the running time of A plus O(n) exponentiations in
The claim now follows easily from Equations (3) and (4) and the definition of ε.
(4)
.
We now introduce one final distribution in which all the Γ’s are chosen uniformly and
independently at random from :


r1 , . . . , r n ← q ;






r
r


n
1


 z1 = g , . . . , z n = g ;

def
Γ
,
.
.
.
,
Γ
,
Γ
←
;
1,2
n−1,n
n,1
Fake =
: (T, sk) .

Γ1,2
Γ2,3
Γn,1


X
=
,
X
=
,
.
.
.
,
X
=
;


1
2
n


Γ
Γ1,2
Γn−1,n


 T = (z n,1

n
n−1
· · · Xn−1
1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
Claim For any algorithm A running in time t we have:
Pr[(T, sk) ← Fake0 : A(T, sk) = 1] − Pr[(T, sk) ← Fake : A(T, sk) = 1] ≤ ε(t00 ).
Proof Given algorithm A, consider the following algorithm D which takes as input a
triple (g1 , g2 , g3 ) ∈ 3 (where furthermore a generator g ∈ is fixed): D generates (T, sk)
according to distribution Dist, runs A(T, sk), and outputs whatever A outputs. Distribution
22
Dist is defined as follows (note that this distribution depends on g 1 , g2 , g3 ):


r1 , r2 , {αi , βi , α0i , βi0 , γi }si=0 ← q;






0 β0
β0


α
r
r
α
γ
0
0
1
2
0


0
z
=
g
g
,
z
=
g
,
z
=
g
,
z
=
g
g
,
z
=
g
g
;


1
2
3
4
5
1
2
2


0 β0


α


0
0 γ0


g
z
;
;
Γ
=
g
Γ
,
Γ
,
Γ
←


4,5
1,2
2,3
3,4
1 3 4






for
i
=
1
to
s:






 let j = 3i + 3

def
0
Dist =
:
(T,
sk)
.
0
β
zj = g αi g2βi , zj+1 = g αi g2 i , zj+2 = g γi g1 ;








α 0 β 0 γi
γ


Γj−1,j = g1αi g3βi zj i−1 , Γj,j+1 ← , Γj+1,j+2 = g1 i g3 i zj+1
;








α 0 β 0 γs


Γ
=
g
g
z
;


n,1
1 3 1




Γ
Γ
Γ
1,2
2,3
n,1




X
=
,
X
=
,
.
.
.
,
X
=
;
1
2
n


Γn,1
Γ1,2
Γn−1,n




n
n−1
T = (z1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
· · · Xn−1
The remainder of the proof is very similar to the proof of the previous claim. We first
examine the above distribution when (g 1 , g2 , g3 ) is chosen uniformly at random from the set
of Diffie-Hellman tuples (we refer to the resulting distribution as Dist ddh ):
Distddh =


































x, y, r1 , r2 , {αi , βi , α0i , βi0 , γi }si=0 ← q;


0
0


z1 = g α0 g yβ0 , z2 = g r1 , z3 = g r2 , z4 = g α0 g yβ0 , z5 = g γ0 g x ;


0 xyβ 0 γ0

xα

Γ1,2 , Γ2,3 , Γ3,4 ← ; Γ4,5 = g 0 g 0 z4 ;




for i = 1 to s:




let j = 3i + 3
0
0
:
(T,
sk)
,
zj = g αi g yβi , zj+1 = g αi g yβi , zj+2 = g γi g x ;


0
0 γi
γ


;
Γj−1,j = g xαi g xyβi zj i−1 , Γj,j+1 ← , Γj+1,j+2 = g xαi g xyβi zj+1



γ
s
xyβ
xα

0
0

z1 ;
Γn,1 = g g



Γ1,2
Γ2,3
Γn,1

X1 = Γn,1 , X2 = Γ1,2 , . . . , Xn = Γn−1,n ;



n
n−1
T = (z1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
· · · Xn−1
where all we have done is substitute g 1 = g x , g2 = g y , and g3 = g xy (for x, y ∈ q chosen at
random at the beginning of the experiment) into the definition of Dist. We claim that Dist ddh
is identical to Fake0 . As in the proof of the previous claim, we need only focus on the z’s
and the Γ’s. It is again easy to see that in Distddh the {zk } are uniformly and independently
distributed in (as in Fake 0 ). It is also immediate that in both distributions we have Γ 1,2 ,
Γ2,3 , Γ3,4 , and {Γj,j+1 }j=3i+3; i=1,...,s distributed uniformly and independently in . As for
the remaining Γ’s, take Γj−1,j (for some i ∈ {1, . . . , s} and j = 3i + 3) as a representative
example. We claim that in Distddh the tuple (zj−1 , zj , Γj−1,j ) is a Diffie-Hellman tuple, as
is the case in Fake0 . To see this, note that zj−1 = g γi−1 +x , zj = g αi +yβi and
γ
Γj−1,j = g xαi +xyβi zj i−1 = g xαi +xyβi +γi−1 αi +γi−1 yβi .
Thus, (zj−1 , zj , Γj−1,j ) is a Diffie-Hellman tuple as desired. We conclude that:
Pr[x, y ←
q
: D(g x , g y , g xy ) = 1] = Pr[(T, sk) ← Fake 0 : A(T, sk) = 1].
(5)
We now examine distribution Dist when (g 1 , g2 , g3 ) is chosen uniformly from the set of
23
random tuples (we refer to the resulting distribution as Dist rand ):


x, y, r1 , r2 , {αi , βi , α0i , βi0 , γi }si=0 ← q; z ← q \ {xy};





 z = g α0 g yβ0 , z = g r1 , z = g r2 , z = g α00 g yβ00 , z = g γ0 g x ;




1
2
3
4
5


0 zβ 0 γ0


xα

 Γ1,2 , Γ2,3 , Γ3,4 ← ; Γ4,5 = g 0 g 0 z ;


4






for
i
=
1
to
s:







 let j = 3i + 3
0
0
:
(T,
sk)
Distrand =
,
zj = g αi g yβi , zj+1 = g αi g yβi , zj+2 = g γi g x ;




0
0
γ


γi


Γj−1,j = g xαi g zβi zj i−1 , Γj,j+1 ← , Γj+1,j+2 = g xαi g zβi zj+1
;






γ
s
xα
zβ


0
0

 Γn,1 = g g z1 ;






Γ
Γ
Γ
2,3
n,1
1,2


,
X
=
,
.
.
.
,
X
=
;
X
=


2
n
1
Γ
Γ
Γ


n,1
1,2
n−1,n


n
n−1
T = (z1 , . . . , zn , X1 , . . . , Xn ); sk = (Γn,1 ) · (X1 )
· · · Xn−1
where all we have done is substitute g 1 = g x , g2 = g y , and g3 = g z (for x, y, z chosen at the
beginning of the experiment) into the definition of Dist. We claim that Dist rand is identical
to Fake. It is easy to verify that in Distrand the {zk } are uniformly and independently
distributed in . We need to show that the Γ’s are also uniformly distributed, independent
of each other and the z’s (as is the case in Fake). This clearly holds for Γ 1,2 , Γ2,3 , Γ3,4 ,
and {Γj,j+1 }j=3i+3; i=1,...,s . For the remaining Γ’s, take Γ4,5 as a representative example.
Since α00 , β00 are used only in computing z4 and Γ4,5 , the joint distribution of z4 and Γ4,5 —
conditioned on arbitrary values of all other z’s and Γ’s — is given by:
logg z4 = α00 + y · β00
log g Γ4,5 = x · α00 + z · β00 + γ0 logg z4
= (x + 1) · α00 + (z + y) · β00 ,
where α00 , β00 are uniformly and independently distributed in q. Using the fact that z 6= xy,
the above (viewed as linear equations in the variables α 00 , β00 ) are linearly independent. It
follows that Γ4,5 is uniformly distributed in , independent of z 4 and everything else. We
conclude that:
Pr[x, y ←
q; z
←
q
\ {xy} : D(g x , g y , g z ) = 1] = Pr[(T, sk) ← Fake : A(T, sk) = 1].
The running time of D is t00 :, the running time of A plus O(n) exponentiations in
The claim now follows readily from Equations (5) and (6) and the definition of ε.
def
(6)
.
In experiment Fake, let wi,i+1 = logg Γi,i+1 for 1 ≤ i ≤ n. Given T, the values
w1,2 , . . . , wn,1 are constrained by the following n equations (only n − 1 of which are linearly independent):
logg X1 = w1,2 − wn,1
..
.
log g Xn = wn,1 − wn−1,n .
Furthermore, sk = g w1,2 +w2,3 +···+wn,1 ; equivalently, we have
logg sk = w1,2 + w2,3 + · · · + wn,1 .
24
Since this final equation is linearly independent from the set of equations above, sk is
independent of T. This implies that even for a computationally-unbounded adversary A:
Pr[(T, sk 0 ) ← Fake; sk1 ← ; b ← {0, 1} : A(T, skb ) = b] = 1/2.
-fs (t, 1) ≤ 4 · ε(t00 ) + 2/| |.
Combining this with the previous two claims shows that Adv KE
P
For the case of qex > 1, a standard hybrid argument immediately shows that
-fs (t, q ) ≤ q · AdvKE-fs (t, 1).
AdvKE
ex
ex
P
P
Tighter concrete security can be obtained by again using the random self-reducibility of
the DDH problem [5, Lemma 5.2]. In particular, given a tuple (g 1 , g2 , g3 ) ∈ 3 and a fixed
generator g, one can efficiently generate q ex tuples L = {(g11 , g21 , g31 ), . . . , (g1qex , g2qex , g3qex )}
such that (1) if (g1 , g2 , g3 ) is a Diffie-Hellman tuple, then all tuples in L are Diffie-Hellman
tuples whose first two components are randomly distributed in 2 (independently of anything else); (2) if (g1 , g2 , g3 ) is a random tuple, then all tuples in L are randomly distributed
in 3 (again, independently of anything else). In the second case, with all but probability
qex
i
i
i
| | it will be the case that log g g3 6= log g g1 · log g g2 for all i.
Paralleling the preceding proof, we may define distributions Real qex , Fake0qex , Dist0qex ,
Fakeqex , and Distqex which simply consist of qex (independent) copies of each of the corresponding distributions; in the case of Dist0qex and Distqex we use the corresponding tuple
(g1i , g2i , g3i ) for the ith copy. Corresponding to the first claim, one can then show that for
any algorithm A running in time t:
~ sk)
~ ← Realq : A(T,
~ sk)
~ = 1] − Pr[(T,
~ sk)
~ ← Fake0 : A(T,
~ sk)
~ = 1] ≤ ε(t0 ) ,
Pr[(T,
ex
qex
where t0 is as in the statement of the theorem. (We remark that we no longer lose the
factor O(1/| |) since the tuples in L are now completely random when (g 1 , g2 , g3 ) is not
a Diffie-Hellman tuple.) Corresponding to the second claim, one could show that for any
algorithm A running in time t:
~ sk)
~ = 1] − Pr[(T,
~ sk)
~ ← Fake q : A(T,
~ sk)
~ = 1] ≤ ε(t0 ) + qex .
~ sk)
~ ← Fake0 : A(T,
Pr[(T,
ex
qex
| |
Finally, using the same techniques as above, it is straightforward to see that even for a
computationally-unbounded A
~ sk
~ 0 ) ← Fake; sk
~1←
Pr[(T,
qex
~ b ) = b] = 1/2.
; b ← {0, 1} : A(T, sk
Putting these together gives the result of the theorem.
References
[1] Y. Amir, Y. Kim, C. Nita-Rotaru, and G. Tsudik. On the Performance of
Group Key Agreement Protocols. Proc. 22nd International Conference on Distributed
Computing Systems (ICDCS), IEEE, 2002, pp. 463–464. Full version available at
http://www.cnds.jhu.edu/publications/.
25
[2] G. Ateniese, M. Steiner, and G. Tsudik. Authenticated Group Key Agreement and
Friends. Proc. 5th Annual ACM Conference on Computer and Communications Security, ACM, 1998, pp. 17–26.
[3] G. Ateniese, M. Steiner, and G. Tsudik. New Multi-Party Authentication Services and
Key Agreement Protocols. IEEE Journal on Selected Areas in Communications, vol.
18, no. 4 (2000), pp. 628–639.
[4] C. Becker and U. Wille. Communication Complexity of Group Key Distribution. Proc.
5th Annual ACM Conference on Computer and Communication Security, ACM, 1998,
pp. 1–6.
[5] M. Bellare, A. Boldyreva, and S. Micali. Public-Key Encryption in a Multi-user Setting:
Security Proofs and Improvements. Advances in Cryptology — Eurocrypt 2000, LNCS
vol. 1807, B. Preneel ed., Springer-Verlag, 2000, pp. 259–274.
[6] M. Bellare, R. Canetti, and H. Krawczyk. A Modular Approach to the Design and
Analysis of Authentication and Key Exchange Protocols. Proc. 30th Annual ACM
Symposium on Theory of Computing, ACM, 1998, pp. 419–428.
[7] M. Bellare, J. Garay, and T. Rabin. Fast Batch Verification for Modular Exponentiation
and Digital Signatures. Advances in Cryptology — Eurocrypt ’98, LNCS vol. 1403, K.
Nyberg ed., Springer-Verlag, 1998, pp. 236–250.
[8] M. Bellare, D. Pointcheval, and P. Rogaway. Authenticated Key Exchange Secure
Against Dictionary Attacks. Advances in Cryptology — Eurocrypt 2000, LNCS vol.
1807, B. Preneel ed., Springer-Verlag, 2000, pp. 139–155.
[9] M. Bellare and P. Rogaway. Random Oracles are Practical: A Paradigm for Designing
Efficient Protocols. Proc. 1st Annual ACM Conference on Computer and Communications Security, ACM, 1993, pp. 62–73.
[10] M. Bellare and P. Rogaway. Entity Authentication and Key Distribution. Advances in
Cryptology — Crypto ’93, LNCS vol. 773, D.R. Stinson ed., Springer-Verlag, 1993, pp.
232–249.
[11] M. Bellare and P. Rogaway. Provably-Secure Session Key Distribution: the Three Party
Case. Proc. 27th Annual ACM Symp. on Theory of Computing, ACM, 1995, pp. 57–66.
[12] R. Bird, I. Gopal, A. Herzberg, P. Janson, S. Kutten, R. Molva, and M. Yung. Systematic Design of Two-Party Authentication Protocols. IEEE Journal on Selected Areas
in Communications, vol. 11, no. 5 (1993), pp. 679–693.
[13] C. Boyd. On Key Agreement and Conference Key Agreement. Australasian Conference
on Information Security and Privacy — ACISP ’97, LNCS vol. 1270, V. Varadharajan,
J. Pieprzyk, and Y. Mu eds., Springer-Verlag, 1997, pp. 294–302.
[14] C. Boyd and J.M.G. Nieto. Round-Optimal Contributory Conference Key Agreement.
Public-Key Cryptography, LNCS vol. 2567, Y. Desmedt ed., Springer-Verlag, 2003,
pp. 161–174.
26
[15] E. Bresson, O. Chevassut, and D. Pointcheval. Provably Authenticated Group DiffieHellman Key Exchange — The Dynamic Case. Advances in Cryptology — Asiacrypt
2001, LNCS vol. 2248, C. Boyd ed., Springer-Verlag, 2001, pp. 290–309.
[16] E. Bresson, O. Chevassut, and D. Pointcheval. Dynamic Group Diffie-Hellman Key
Exchange under Standard Assumptions. Advances in Cryptology — Eurocrypt 2002,
LNCS vol. 2332, L. Knudsen ed., Springer-Verlag, 2002, pp. 321–336.
[17] E. Bresson, O. Chevassut, D. Pointcheval, and J.-J. Quisquater. Provably Authenticated Group Diffie-Hellman Key Exchange. Proc. 8th Annual ACM Conference on
Computer and Communications Security, ACM, 2001, pp. 255–264.
[18] M. Burmester and Y. Desmedt. A Secure and Efficient Conference Key Distribution
System. Pre-proceedings of Eurocrypt ’94, Scuola Superiore Guilielmo Reiss Romoli,
1994, pp. 279–290. Available at http://www.cs.fsu.edu/˜burmeste/pubs.html
[19] M. Burmester and Y. Desmedt. A Secure and Efficient Conference Key Distribution
System. Advances in Cryptology — Eurocrypt ’94, LNCS vol. 950, A. De Santis ed.,
Springer-Verlag, 1995, pp. 275–286.
[20] M. Burmester and Y. Desmedt. A Secure and Scalable Group Key Exchange System.
Information Processing Letters, vol. 94, no. 3 (2005), pp. 137–143.
[21] R. Canetti, O. Goldreich, and S. Halevi. The Random Oracle Methodology, Revisited.
Proc. 30th Annual ACM Symp. on Theory of Computing, ACM, 1998, pp. 209–218.
[22] R. Canetti and H. Krawczyk. Key-Exchange Protocols and Their Use for Building Secure Channels. Advances in Cryptology — Eurocrypt 2001, LNCS vol. 2045, B. Pfitzmann ed., Springer-Verlag, 2001, pp. 453–474.
[23] R. Canetti and H. Krawczyk. Universally Composable Notions of Key Exchange and
Secure Channels. Advances in Cryptology — Eurocrypt 2002, LNCS vol. 2332, L. Knudsen ed., Springer-Verlag, 2002, pp. 337–351.
[24] R. Canetti and H. Krawczyk. Security Analysis of IKE’s Signature-Based KeyExchange Protocol. Advances in Cryptology — Crypto 2002, LNCS vol. 2442, M. Yung
ed., Springer-Verlag, 2002, pp. 143–161.
[25] W. Diffie and M. Hellman. New Directions in Cryptography. IEEE Transactions on
Information Theory, vol. 22, no. 6 (1976), pp. 644–654.
[26] W. Diffie, P. van Oorschot, and M. Wiener. Authentication and Authenticated Key
Exchanges. Designs, Codes, and Cryptography, vol. 2, no. 2 (1992), pp. 107–125.
[27] M. Fischer, N. Lynch, and M. Patterson. Impossibility of Distributed Consensus with
One Faulty Process. Journal of the ACM, vol. 32, no. 2 (1985), pp. 374–382.
[28] I. Ingemarsson, D.T. Tang, and C.K. Wong. A Conference Key Distribution System.
IEEE Transactions on Information Theory, vol. 28, no. 5 (1982), pp. 714–720.
27
[29] M. Just and S. Vaudenay. Authenticated Multi-Party Key Agreement. Advances in
Cryptology — Asiacrypt 1996, LNCS vol. 1163, K. Kim and T. Matsumoto eds.,
Springer-Verlag, 1996, pp. 36–49.
[30] J. Katz, R. Ostrovsky, and M. Yung. Forward Secrecy in Password-Only Key-Exchange
Protocols. Security in Communication Networks (SCN 2002), LNCS vol. 2576, S.
Cimato, C. Galdi, and G. Persiano eds., Springer-Verlag, 2002, pp. 29–44.
[31] J. Katz and J.-S. Shin. Modeling Insider Attacks on Group Key Exchange Protocols.
Proc. 12th ACM Conference on Computer and Communications Security, ACM, 2005,
pp., 180–189.
[32] J. Katz and M. Yung. Scalable Protocols for Authenticated Group Key Exchange.
Advances in Cryptology — Crypto 2003, LNCS vol. 2729, Dan Boneh ed., SpringerVerlag, 2003, pp. 110–125.
[33] Y. Kim, A. Perrig, and G. Tsudik. Simple and Fault-Tolerant Key Agreement for
Dynamic Collaborative Groups. Proc. 7th Annual ACM Conference on Computer and
Communication Security, ACM, 2000, pp. 235–244.
[34] Y. Kim, A. Perrig, and G. Tsudik. Communication-Efficient Group Key Agreement. Proc. IFIP TC11 16th Annual Working Conference on Information Security
(IFIP/SEC), Kluwer, 2001, pp. 229–244.
[35] H. Krawczyk. SKEME: A Versatile Secure Key-Exchange Mechanism for the Internet.
Proc. of the Internet Society Symposium on Network and Distributed System Security,
Feb. 1996, pp. 114–127.
[36] A. Mayer and M. Yung. Secure Protocol Transformation via “Expansion”: From TwoParty to Groups. Proc. 6th ACM Conference on Computer and Communication Security, ACM, 1999, pp. 83–92.
[37] O. Pereira and J.-J. Quisquater. Some Attacks Upon Authenticated Group Key Agreement Protocols. J. Computer Security, vol. 11, no. 4 (2003), pp. 555–580.
[38] V. Shoup. On Formal Models for Secure Key Exchange. Manuscript, 1999. Available
at http://eprint.iacr.org/1999/012.
[39] D. Steer, L. Strawczynski, W. Diffie, and M. Wiener. A Secure Audio Teleconference
System. Advances in Cryptology — Crypto ’98, LNCS vol. 403, Springer-Verlag, 1990,
pp. 520–528.
[40] M. Steiner, G. Tsudik, and M. Waidner. Key Agreement in Dynamic Peer Groups.
IEEE Trans. on Parallel and Distributed Systems, vol. 11, no. 8 (2000), pp. 769–780.
[41] W.-G. Tzeng. A Practical and Secure Fault-Tolerant Conference Key Agreement Protocol. Public-Key Cryptography, LNCS vol. 1751, H. Imai and Y. Zheng eds., SpringerVerlag, 2000, pp. 1-13.
28
[42] W.-G. Tzeng and Z.-J. Tzeng. Round Efficient Conference Key Agreement Protocols
with Provable Security. Advances in Cryptology — Asiacrypt 2000, LNCS vol. 1976,
T. Okamoto ed., Springer-Verlag, 2000, pp. 614–628.
29